Details
Description
BAM-13916 is not resolved and we are still seeing our production password appearing in the logs for shell commands that the build is executing. An example command (with the script filename removed):
perl <SCRIPT> PRODUCTION file=all pw=${bamboo.dbpassword} ALLOW_NUMERIC_CHANGES=1
The line that logs the execution of that command shows the password in plaintext and looks like this.
simple 06-Jul-2015 16:10:08 Executing [perl <SCRIPT> PRODUCTION file=all pw=<PASSWORD> ALLOW_NUMERIC_CHANGES=1]
Also seen in version 5.9:
Additionally failures of the type com.atlassian.utils.process.ProcessException can expose variables saved with "password" in the var name.